On Sat, May 06, 2023 at 04:07:56PM +0200, Gabriel Corona wrote: > Hi, > > > In the mean time, it's probably a good idea to drop > > "application/x-sh;application/x-shellscript" from the list of supported > > mime type to limit the risk. (I assume that even with "text/plain" and a > > .sh file extension or a shebang, kitty might still decide to execute the > > script... so the issue is not entirely fixed, but it reduces the number > > of > > cases where "kitty +open" is invoked on shell scripts) > > Indeed, you can use a file with MIME type such as text/ascii or > x-scheme-handler/kitty and a .tool file extension and it will be executed > through kitty. > > Affected software include: mail clients (mutt, Thunderbird [3,4]), browsers > (Firefox [1,2]), PDF viewers (Okular [5]). > > [1] https://www.gabriel.urdhr.fr/img/kitty-firefox1.png > [2] https://www.gabriel.urdhr.fr/img/kitty-firefox2.png > [3] https://www.gabriel.urdhr.fr/img/kitty-thunderbird1.png > [4] https://www.gabriel.urdhr.fr/img/kitty-thunderbird2.png
The above examples prompt the user, so they're making an explicit choice. That's less of an issue. > > Or it's the users responsibility to configure their system to > > view shell files rather than execute them, if they are in the habit of > > clicking exe's attached to emails or otherwise clicking untrusted shell > > scripts. > > Or it is our responsibility to ship with a secure by default configuration? I'm leaning towards shipping kitty-open.desktop under /usr/share/doc/kitty/examples and adding a note to README.Debian about how to install it and the implications. I've not used this particular functionality of Kitty, so I'm not sure how this will change the usual user experience. However, I think this is a safer default and provides more information to the user. Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
